[Pdns-users] PDNS Server migration - Using AXFR to a Slave-Capable Backend

Mislav | SysAdmin mislavorsolic at gmail.com
Wed Nov 22 11:30:23 UTC 2017 

If someone will have the same issue, the answer is here:
https://doc.powerdns.com/authoritative/backends/generic-sql.html#generic-sql-handling-dnssec-signed-zones

"In addition, PowerDNS fully supports empty non-terminals. If you have a 
zone example.com, and a host a.b.c.example.com in it, rectify-zone (and 
the AXFR client code) will insert b.c.example.com and c.example.com in 
the records table with type NULL (SQL NULL, not ‘NULL’). Having these 
entries provides several benefits. We no longer reply NXDOMAIN for these 
shorter names (this was an RFC violation but not one that caused 
trouble). But more importantly, to do NSEC3 correctly, we need to be 
able to prove existence of these shorter names. The type=NULL records 
entry gives us a place to store the NSEC3 hash of these names."

Thanks everyone.


On 20.11.2017 09:00, Mislav | SysAdmin wrote:
> Anyone has some other ideas how to troubleshoot this, or can confirm 
> that this is normal behavior in new 4.1.0.?
>
>
> On 16.11.2017 15:36, Mislav | SysAdmin wrote:
>> Is this something new by default in 4.1.0? We don't have DNSSEC 
>> enabled in old environment, if this is DNSSEC related.
>>
>>
>> On 16.11.2017 15:25, David wrote:
>>> On 2017-11-16 2:07 AM, Mislav | SysAdmin wrote:
>>>> Hi. I've the following setup:
>>>> 1) pdns server version 3.1 - with mysql backend
>>>> 2) pdns server version 4.1.0 - with mysql backend
>>>>
>>>> What I'm trying to do is:
>>>> - replace version 3.1 with 4.1.0 and I've installed clean version of
>>>> 4.1.0 to a new server and I'm trying to this this now:
>>>> https://doc.powerdns.com/authoritative/migration.html#using-axfr-to-a-slave-capable-backend 
>>>>
>>>>
>>>>
>>>> Although this is working fine, my zones are transfered, AXFR is 
>>>> working,
>>>> I've a small problem/question related to that.
>>>> Every time I add some domain, I always get 2-3 empty records, here is
>>>> the zone example:
>>>> 1) https://pastebin.com/LpnzKjwW - this is original master zone 
>>>> from 3.1.
>>>> 2) https://pastebin.com/5uV2Lk5N - slave zone added on 4.1.0 and
>>>> transfered using AXFR
>>>
>>> These appear to be empty non-terminals, to provide non-NXDOMAIN for 
>>> b.example.com if a.b.example.com exists.
>>>
>>> If you added a record like a.b.c.d.e.f.g.h.i.j.k.example.com you 
>>> would see a large amount of these.
>>>
>>> I believe they are also required for doing DNSSEC properly too (NSEC 
>>> specifically?)
>>>
>>>>
>>>> You will see that first zone has 23 records and when transferred, 
>>>> it has
>>>> 25 records. Any idea why is there always something in
>>>> the name, but type and content are always empty? It doesn't matter if
>>>> master is pdns server 3.1, I've also tested it with one
>>>> bind/named master server and in that scenario result was the same.
>>>> Always 2-3 empty records in the zone. How to debug
>>>> this in order to find out why are those getting created in the first
>>>> place? Or how to fix this?
>>>> _______________________________________________
>>>> Pdns-users mailing list
>>>> Pdns-users at mailman.powerdns.com
>>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>>
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list